Disk encryption software is often used to encrypt and decrypt information as it is being stored to or read from data storage, e.g., a hard drive, solid state disk, and the like. In such instances data encryption is often performed by an application running in kernel mode using an encryption key. Data encrypted with the encryption key is generally safe provided the encryption key (or a corresponding decryption key) remains protected. In this regard, a wide range of technologies are available for protecting encryption and/or decryption keys from access by unauthorized parties. For example, a key may be protected by wrapping the key in a user provided pass phrase, sealing the key with a trusted platform module and/or a smart card, and the like.
Although existing key protection technologies are useful, they are not completely secure. This is due to the fact that many encryption technologies expose the plain text of a key in memory as encryption operations are being performed on plain text or cipher text. This presents an opportunity for an enterprising hacker and/or malware to obtain the plain text of a key.
For example an unauthorized third party may execute a so called “cold-boot” attack to cause an encryption system to dump the content of its physical memory, including the plain text of a key therein, after which the third party may recover the key from the resulting dump file. Alternatively the third party may execute a so-called “evil maid” attack to install a key logger to intercept a user passphrase as it is entered, which could then be used by the third party to recover the plain text of the encryption key. Similarly a “blue-pill” attack could be implemented to create a virtual machine monitor (VMM) beneath the software stack of a client system. Depending on the implementation, the VMM could be employed to capture of the encryption key directly, or to capture a user pass phrase which could be used to recover the plain text of the encryption key.
In view of the foregoing interest has grown in technologies for hardening disk encryption. In particular, interest has grown in technologies for protecting the key(s) used to encrypt and decrypt information during the performance of encryption operations.